Risk - Glossary of Terms & Acronyms

A dictionary of terms and their definitions and the common interpretation of acronyms used by the risk and security systems developer, tech writer, manager, etc. especially useful for understanding ads for Risk and Security Managers in control of systems in the Australian government, business and industrial environments.

absolute standard = an object that under specified conditions defines, represents, or records the level or magnitude of a unit. Usually expressed as a measuring device, a definition or equation. An example of an absolute standard is the "boiling point" of water. This is scientifically the point at which water is converted to steam (because of local temperature conditions). This is an absolute moment physically. The standard boiling point of water is 100 degrees C or 240 degrees F. The actual boiling point of water can never be an accurately predicted because local conditions impact on exactly what temperature this conversion will take place. However, this standard is used in scientific work every day. See also Standards, Comparative Standard, Normative Standard, International Standards

accept (retain) = after risks have been reduced or transferred, there may be residual risks that are accepted or retained, meaning to do nothing and "accept the risk"

acceptable risk = the risk is at a level at which it is decided that should the event occur the consequences can be absorbed into current operation and no treatment is considered possible, useful or necessary

acceptance = 1. to receive officially and consent to pay, as by a signed agreement

acceptance = 2. approve progress of a software system or component to the next process or phase

acceptance = 3. take into use

acceptance criteria = a set of standards, rules, or tests on which an acceptance judgement or decision can be based

acceptance testing = formal testing conducted by users to determine whether or not a system contains the agreed functionality and satisfies their acceptance criteria. As a result of this testing, the owner can decide whether or not to accept the system as presented

accident = an unexpected, undesirable event: car accidents on icy roads. An external event risk. See also casualty

achievement / plan ratio = the actual result achieved at a particular moment in the plan compared to the planned result, expressed as a percentage or a fraction

ACSI 33 = Australian Communications Security Instructions 33

ACSI 33 SECURITY-IN-CONFIDENCE version = contains the security policies and guidance for all classifications

ACSI 33 UNCLASSIFIED version = contains only policies and guidlines for PUBLIC DOMAIN, UNCLASSIFIED, IN-CONFIDENCE, RESTRICTED, and PROTECTED

activity = a specified pursuit assigned to a person in a procedure. The lowest level in a work breakdown structure

activity diagram = the structure representing different activities performed in a particular business area

actual = measured, verified result

actual risk = a possible risk that has been subjected to risk analysis and for which the risk cannot be eliminated as insignificant

actuary = mathematician/statistician employed by insurance and government to collect and interpret numerical data, provide information on risk management, calculate and evaluate premiums, insurance propositions and proposals, uncertain future events, employee benefits, medical insurance and pension plans, and social welfare programs such as social security and Medicare

agreement = the definition of terms and conditions under which a working relationship will be conducted. See also service level agreement

algorithm = a. a procedure or a set of steps that may be used to solve a problem

algorithm = b. The logical sequence of operations to be performed in the execution of a program

analysis = a systematic investigation of a problem or issue, involving the break up of the problem or issue into smaller units for a more detailed study. See also business analysis, risk analysis,

approved business case = the business case after it has been approved by the relevant financial authority

archiving strategies = the short and long term plans for storing a the company's key risk control documents to ensure legal completion, compliance and future availability

arson = the crime of maliciously, voluntarily, and wilfully setting fire to the building, buildings, or other property of another, or of burning one's own property for an improper purpose, such as to collect insurance. A criminal risk

AS 3806:2006 = Compliance programs; See SAI Global

AS 8000:2003 = Corporate governance - Good governance principles; See SAI Global

AS IEC 60812:2008 = Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA); See SAI Global

AS IEC 61025:2008 = Fault tree analysis (FTA); See SAI Global

AS IEC 61882:2003 = Hazard and operability studies (HAZOP studies) - Application guide; See SAI Global

AS/NZS 3931 = Risk analysis of technological systems - Application guide

AS/NZS 4360:2004 = Risk management; See SAI Global

AS/NZS 4360:SET = Risk Management Set; See SAI Global

AS/NZS 4360:2004 = Risk management; See AS/NZS ISO 31000:2009

AS/NZS 4360:SET = Risk Management Set; See AS/NZS ISO 31000:2009

AS/NZS 4801:2001 = Occupational health and safety management systems - Specification with guidance for use; See SAI Global

AS/NZS 4801:2001 = Occupational health and safety management systems-Specification with guidance for use

AS/NZS 4804:2001 = Occupational health and safety management systems-General guidelines on principles, systems and supporting techniques

AS/NZS 4804 = Occupational health and safety management systems - General guidelines on principles, systems and supporting techniques

AS/NZS ISO 9000 = Quality management systems - Fundamentals and vocabulary

AS/NZS ISO 9001:2008 = Quality management systems - Requirements; See SAI Global

AS ISO 10002:2006 = Customer satisfaction - Guidelines for complaints handling in organisations

AS/NZS ISO 14001 = Environmental management systems - Requirements with guidance for use

AS/NZS ISO 14004 = Environmental management systems - General guidelines on principles, systems and supporting techniques

AS/NZS ISO 14050 = Environmental management - Vocabulary

AS/NZS ISO 15489 = Records management

AS/NZS ISO/IEC 17799:2006 =

AS/NZS ISO 19011 = Guidelines for quality and/or environmental management systems auditing; See SAI Global

AS/NZS ISO/IES 27001:2006 = ; See SAI Global

AS/NZS ISO 31000:2009 = Risk management - Principles and guidelines; See SAI Global

asset management = a line of business under WGOR Method #1, Level 1

ATG = acceptance test group

ATP = acceptance test plan

ATRF = acceptance test results form

ATS = acceptance test scripts

Attorney General's Protective Security Manual =

audit = an independent assessment of products and processes to confirm compliance with requirements, conducted by a trained and authorised person. See Internal audit

audit trail = clerical or automated methods for tracing the transactions that affect the contents of a database

auditability = an IT Risk

Australian Government Protective Security Manual =

authority = power exercised by the Board of Directors or assigned by the Board to another individual or group within the company. Authority usually involves the power to make policy and commit the company. See also levels of authority

availability = an IT Risk

avoid = avoid the risk by deciding not to proceed with the activity likely to generate the risk (where this is practicable)

BA = business analysis

BA = business analyst

BAU = business as usual

BCP (pronounced letter by letter) = business continuity planning

benchmark = an agreed method of measuring achievement of a goal by setting a comparative or normative standard

benchmarking = a process of comparing the measured achievement of an organisation in a specific area with levels obtained by other organisations in that area to identify opportunities for improvement

benefit = gain

benefit = See cost/benefit

Beta Testing = See UAT

BI = business intelligence

BIA (pronounced letter by letter) = See Business Impact Analysis

Board = colloquial expression for Board of Directors

Board of Directors = a official group of directors elected (usually) at the Annual General Meeting to represent the shareholders of the company and protect and further their interests. This is the highest authority in the company

board submission = a formal approach in writing to the board to seek approval or endorsement of a proposal or action

BOD = Board of Directors

bombing = a colloquial expression for wilfully and maliciously detonating an explosive device for the purpose of causing damage or loss of life. A criminal risk

bribe = something, such as gifts, money or a favour, offered or given to a person in a position of trust to influence that person's views or conduct

bribery = the act or practice of offering, giving, or taking a bribe. A criminal risk

BRP = business recovery plan

BRS = business requirements statement

budget = a periodic, planned program of probable expenditure

budget submission = a submission to the budget approving authority to include an item or items in an already approved budget

business analysis = a systematic investigation of a business area, its business rules, functions, work flows, requirements and data. It can be carried out by IT professionals and/or by business analysts from the business area

business case = a formal proposal to provide a solution to a business need submitted by the user to seek approval for the provision of funding. IT is not the only provider of a business case and the need may not always seek or require an IT solution. a business case is always preceded by a project concept document

business disruption = to throw a business or a line of business or a business sector into confusion or disorder: An external event risk

business impact analysis = look at a strategic plan to see what impact it is likely to have on the company as a whole or if there are other changes implied from the execution of the strategic plan that may impact on the decision

business need = See business requirement

business plan = See business case

business requirement = a need the business must satisfy to continue to operate normally or to effect planned improvements. They are not necessarily technical in nature and may not always be computer or IT oriented

business requirements statement = a document that records the needs of the business for project outcomes. These must be expressed in business terms and not as a list of technical requirements

business resumption plan = See disaster recovery plan

business risk = a colloquial name for any risk that could affect the business decision in hand

capacity = the ability to receive, hold, or absorb. A measure of this ability; volume. The maximum amount that can be contained: a trunk filled to capacity. An IT Risk

casualty = an accident related to or resulting from malicious or wilful acts of harm. A criminal risk. See also Accident

catastrophic = a qualitative descriptor implying such things as huge financial loss, serious reputation loss, death, etc

category = See Risk Category

cause = originate, bring into being, create, make, or produce. Having identified a list of events, it is necessary to consider possible causes and scenarios including checklists, judgements based on experience and records, flow charts, brainstorming, systems analysis, scenario analysis and systems engineering techniques depending on the nature of the activities under review and the types of risk associated

change control = the systematic proposal, costing, justification, risk assessment, evaluation, approval / disapproval, coordination, and implementation of all proposed changes

change control procedure = the process by which a change is proposed, evaluated, approved or rejected, scheduled, implemented and tracked

change request = an officially recognized form (paper or electronic) by which users can submit their requirements for product modification/enhancement or service provision. The submission of a formal fully documented request, to include details of the change required, justification for the change and endorsed by key stakeholders

change management impact analysis report = a report which analyses proposed changes and identifies key changes such as

changes to policy, process or procedure; = change in product or production characteristics; changes to user access; changes to project objectives, project costs, project performance and likely gaps; changes to management information reporting; and any other impact on risk (credit, market or operational)

changed legal environment = an unplanned event in which the legal environment changes, new laws or new ways of dealing with the law. An external event risk. An example: a new law relating to safety increases the cost of building

changed political environment = an unplanned event in which the political environment changes, new laws or new ways of dealing with the law. An external event risk. An example: a new regime in Afghanistan bans non-Islamic banking

civil disaster = an unplanned event, a catastrophe causing widespread destruction and distress; relating to citizens and their interrelations with one another or with the state. An external event risk

clarity ( tasks and responsibilities) = lack of clarity in defining tasks and responsibilities can lead to confusion, loss of productivity and related losses. An organisation risk

clients with questionable dealings = failure to identify client's history of questionable dealings can lead to an increase in failure rate. A criminal risk

clients with questionable reputation = failure to identify a client's bad reputation can lead to an increase in failure rate. A criminal risk

commercial banking = a line of business under WGOR Method #1, Level 1. Includes: consumer banking; private banking; corporate banking; commercial real estate;

comparative standard = an acknowledged measure of (quantitative or qualitative) value used in comparison. Usually expressed as a logical relationship, a set of or array of definitions or equations contained within a formal relationship, or mathematical formula. Measurement can only be comparative, and, when measuring in the real world, standards are very important. For example, pressure under the sea is measured in "atmospheres", that is to say one atmosphere under water is equal to the same pressure that one would experience from the air standing at sea level. The standard for 1 atmosphere is 10 meters, meaning that, in the sea, every 10 meters you descend pressure increases by the same amount as that pressure experienced from the air at sea level. This standard is not an accurate measurement and in fact there cannot ever be an accurate measurement, as pressure changes at sea level depending on local circumstances. This standard is nevertheless a useful standard and one which is responsible for saving many lives. See also standards, absolute standard, normative standard, international standards

compliance = to act in accordance with the rules, to follow the rules exactly as stated

compliant = tested against a particular standard

confidence level = an assumption of the VaR model about how confident we are about the results of the normal distribution, such as 99%, meaning that we expect unexpected losses to occur one day in 100

confidentiality = done or communicated in confidence; secret. company is entrusted with the confidence and personal information of the customer, the unauthorised disclosure of which poses a threat to the customer and to the company's relationship with the customer. An IT Risk

conflict of interest = any relationship which is not, or appears not to be, in the best interests of the company. A conflict of interest could prejudice an individual's ability to carry out his/her duties objectively

conservative risk model = an assumption in the Risk Preview Model. This model assumes a conservative stance, that is to say, the outcome of LIKELIHOOD * CONSEQUENCE is the higher risk factor of the two elements. See also Risk Preview Model

consequence = the outcome of an event or situation expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. See also risk analysis

contingency plan = a set of provisions to ensure that an information system can continue to operate in another (possibly degraded) mode when an event occurs that interrupts or destroys the information processing capabilities

continuity = the ability to maintain continuous service. An IT risk

contract = a binding agreement between two parties, especially enforceable by law, or a similar internal agreement wholly within an organisation. See service level agreement

control = any action taken by management to enhance the likelihood that established objectives and goals will be achieved. The result of planning, organising and directing by management. See also directive control, detective control, internal control, preventive control

control environment = a colloquial expression referring to an array of elements affecting the way business is controlled. It refers to such things as the significance of control within the company, the role of the Board and Management in the control process, awareness of control throughout the company and levels of compliance with control routines. The control environment will be affected by: integrity and ethics; management's philosophy and operating style; organisational structure; assignment of authority and responsibility; HR policies and practices; and competence of personnel. See also directive control, detective control, internal control, preventive control

controllability = an IT Risk

corporate governance = an organisation risk

corrective action = an action taken to eliminate the causes of an existing problem, defect or other undesirable situation in order to prevent recurrence

correlation coefficient = a measure of the interdependence of two random variables that ranges in value from -1 to +1, indicating perfect negative correlation at -1, absence of correlation at zero, and perfect positive correlation at +1

corrupt = to wilfully destroy or subvert the honesty or integrity or moral standing of associated staff members. A criminal risk

covariance = a statistical measure of the variance of two random variables that are observed or measured in the same mean time period. This measure is equal to the product of the deviations of corresponding values of the two variables for their respective means

CP (pronounced letter by letter) = Contingency Planning

CRE = credit risk exposure

credit risk = the speculative risk of borrower default related to the extension of any authorised or unauthorised credit

credit risk capital charge =

credit risk exposure = total outstandings for this product

credit risk model = a model used for defining the response of the company to credit risk

CRF = change request form

criminal risk = under WGOR Method #1, criminal risk includes the following elements: internal fraud / external fraud; money laundering; corruption; theft / robberies; personal safety; terrorism / vandalism; intentional breaching of standards and values. Examples of criminal risk are: theft, embezzlement, misappropriation, forgery; clients with questionable dealings/reputation; bribes (gifts or money); loss of assets; casualties, physical security; hostage taking, kidnapping and extortion; arson, bombing; front running, insider trading, rogue trading, sexual harassment, market manipulation.

critical process = a process that must be performed if a product is to be delivered to its (internal or external) market place

DC 09/30140724 BS ISO 26000 = Guidance on social responsibility; See SAI Global

DC 09/30185799 BS EN ISO 11354-1 = Advanced automation technologies and their applications. Part 1. Framework for enterprise interoperability; See SAI Global

deliverable = any output that has been produced by a project team, that is expected, or promised. Examples of deliverables are: project plan; business case; post implementation review; logical design; database design; implementation plan; test plan and completed software applications. Deliverables are identified in the project management plan. See also project deliverable

dependency = a. a certainty in system design formally derived (i.e. by logic) from assumptions or requirements

dependency = b. An absolutely sequential relationship between events

dependency = See also requirement

development and implementation risk = an IT Risk

development life cycle = See life cycle

disaster = (a) an unplanned event having fatal or ruinous results

disaster = (b) a sudden, accidental event causing massive death, injury, or damage. Examples of common natural causes of disasters include earthquakes, floods, hurricanes and typhoons, tornadoes, tsunamis, volcanic eruptions, wildfires, landslides and avalanches. Disasters produced by human forces include accidents involving passenger-carrying airplanes, ships, and trains; collapse of buildings, bridges, tunnels, and mines; and explosions and fires unintentionally triggered by humans

disaster recovery plan = a plan for recovering from a disaster to pre-disaster condition as far as possible. Sometimes called a Business Resumption Plan (BRP)

domain = See risk domain

DR 09053 CP = Business continuity - Managing disruption related risk - Part 1: Specification; See SAI Global

DR AS/NZS ISO/IEC 38500 CP = Corporate governance of information technology; See SAI Global

DRP (pronounced letter by letter) = See Disaster Recovery Plan

DSD = Defence Signals Directorate

DSD certification framework =

DSD Infosec-Registered Assessor Program (I-RAP) =

emergency = a fix which is required urgently. Undertake immediate problem resolution and conduct emergency migration procedures. To be followed by normal testing and PIR close out

embezzlement = to take (money, for example) for one's own use in violation of a trust. A criminal risk

Emergency Response Planning (ERP) =

encryption = scrambling of the content of network packets

EOD = End Of Day

EOM = End Of Month

EOW = End Of Week

EOY = End Of Year

ERP = Emergency Response Planning

ethics dictionary = some important words for corporate ethics

expert advice = the owner/sponsor seeks input from Internal Audit, Information Security, Physical Security, Risk Management and/or other areas to ensure that the Risk Register analysis is complete

external audit = an examination, by examiners independent of the company, of records or financial accounts to check their accuracy

external event risk = under WGOR Method #1, external event risk includes the following elements: natural disasters; civil disasters; outsourcing risk / supplier risk; political risk; changed legal / political environment; liability risk; business disruption risk. Examples of external event risk are: accidents, fire, flood, storm, earthquake; terrorist acts, revolt; level of dependency, monopoly with provider, misuse of confidential data, breach of service level agreement; war, expropriation of assets, business blocked, financial markets disturbances; changes of regime (e.g. of tax or regulatory authorities); lawsuits (from e.g. customers, suppliers, government); energy failure, external telecommunications failure, failure of transports.

external fraud = a deception deliberately practiced by a person or entity outside the company in order to secure unfair or unlawful gain. A criminal risk

extortion = to obtain money or benefit from the company by coercion or intimidation. A criminal risk

failure modes, effects and criticality analysis = each failure mode identified is ranked according to the combined influence of its likelihood of occurrence and the severity of its consequences

fault tree analysis = a systems engineering method for representing the logical combinations of various system states and possible causes which can contribute to a specified event (called the top event)

file = a set of related records treated as a unit

file note = an informal record kept on file as a reminder of an event or conversation or containing technical information that may be required again at a later date

FMEA = failure mode and effects analysis

FMECA = failure modes, effects and criticality analysis

forgery = to make a copy of (usually signature), usually (but not always) with the intent to defraud. A criminal risk

fraud = a deception deliberately practiced by a person or group of persons in order to secure unfair or unlawful gain. See internal fraud and external fraud

frequency = a measure of likelihood expressed as the number of occurrences of an event in a given time. An example of frequency: 500 near misses per month. See also likelihood and probability

front running = to set up an apparently respectable person, group, or business to be used as a cover for secret or illegal activities. A criminal risk

function = a colloquial expression for the specific purpose or characteristic activities of an entity

functional = Related to or pertaining to function

Gantt chart = a graphical view of a schedule that shows start and finish dates, and progress of each recorded activity. It may also show activity dependencies

gap analysis = formal analysis of the difference between a system specification and a particular set of functional analysis and user requirements

GB 002:2007 = The Business Excellence Framework; See SAI Global

General Reserve = standard capital charges made for risk based on historical experience. Aggregate amounts for each category of loans

goal = a target expressed in an absolute physical measurable outcome that is intended to be reached by a given moment in time. See objective

governance = clear delineation of authority and responsibility for risk-related activities across the company, at all levels

hazard = a source of potential harm ISO/IEC Guide 51

hazard = See risk exposure. Note this is what we call a hazard in the Finance world so that it is not confused with the risks of personal accident and injury of the engineering world

HB 18.2 = Standarization and related activities - General vocabulary

HB 141:2004 = Risk financing guidelines; See SAI Global

HB 158:2006 = Delivering assurance based on AS/NZS 4360 Risk Management; See SAI Global

HB 203:2006 = Environmental risk management - Principles and practices; See SAI Global

HB 205-2004 = OH&S Risk Management Handbook

HB 221:2004 = Business Continuity Management

HB 231:2004 = Information security risk management guidelines

HB 246:2004 = Guidelines for Managing Risks in Sport and Recreation; See SAI Global

HB 254:2005 = Governance, risk management and control assurance' summarizes strategies used by organizations to implement Control Assurance Plans; See SAI Global

HB 436:2004 = Risk management guidelines - Companion to AS/NZS 4360:2004, See AS/NZS ISO 31000:2009

HR risk = under WGOR Method #1, HR risk (or Human Relations risk) includes the following elements: quality of management; integrity; recruitment; development; competence; retention; appraisal; release; capacity; key personnel. Examples of HR risk are: leadership skills, integrity, risk awareness; new hirers, yr. of experience, competence; availability and usage of HR strategy and policy, training, code of conduct, understanding of product; skills to performs tasks; satisfaction, motivation, compensation, years on the job, educational level; clear objectives, uniform; wrongful dismissal; work pressure; loss of clients.

holding period = an assumption of the VaR model of the most frequently chosen holding period, such as ten (10) days

hostage taking = to hold a person or persons in a conflict in captivity as security that specified terms will be met by the opposing party. A criminal risk

impact = consequence

impact analysis =

infrastructure = an IT Risk

internal audit = an independent appraisal function within the company to examine and evaluate the company's own (organisation, procedures and) activities to assure they are adequate and that the activities comply with the requirements of the company's policies. The objective of internal audit is to assist members of the company in the effective discharge of their responsibilities. To this end, internal audit furnishes them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed. The audit objective includes promoting effective control at reasonable cost

internal control = a process carried out within the company designed to provide reasonable assurance regarding the achievement of the following objectives: The reliability and integrity of information; compliance with policies, plans, procedures, laws, regulations, and contracts; the safeguarding of assets; the economical and efficient use of resources; and the accomplishment of established business objectives and goals.

internal fraud = a deception deliberately practiced by a person or group of persons inside the company in order to secure unfair or unlawful gain. A criminal risk

internal product = a service or product provided by a unit at company for another productive unit as part of a critical process

internal product value = the value of the product is the opportunity cost of performing the critical processes that gave rise to the product. That is to say, how much would it cost to "outsource" the product or to employ an outside agency to perform the critical process?

internal service level agreement = a formal agreement between two departments in which specific requirements are established for quality and delivery speed. See service level agreement

International Standards = the risk management concepts employed in the Risk Management Policy Manual are generally based on AS/NZS 4360:2004. Operational Risk Concepts are based on WGOR Level 1. Any concept of quality employed is generally based on ISO 9001:2000; See AS/NZS ISO 31000:2009

insider trading = to use one's special knowledge or access to confidential information to conduct trading for special benefit. A criminal risk

insignificant = a qualitative descriptor implying such things as low financial loss, no customer loss, work-arounds, etc

intentional breaching of standards and values = a criminal risk

International Organisation for Standardization = an international organisation responsible for producing (ISO) standards for many industries

investment banking = a line of business under WGOR Method #1, Level 1

I-RAP = Infosec-Registered Assessor Program (DSD)

irregularity = the intentional misstatement or omission of significant information in accounting records, financial statements, other reports, documents or records. Irregularities include: a. fraudulent financial reporting which renders financial statements misleading; and b. misappropriation of assets. Irregularities may involve: falsification or alteration of accounting or other records, and supporting documents; intentional misapplication of accounting principles; and misrepresentation or intentional omission of events, transactions, or other significant information.

ISO/IEC Guide 51 = Safety aspects - Guidelines for their inclusion in standards

ISO/IEC Guide 73 = Risk management - Vocabulary - Guidelines for use in standards

ISO Standard = a document published by the IOS which provides an internationally recognized set of rules for undertaking various activities

ISO Guide 73:2009 = Risk management - Vocabulary; See SAI Global

ISO/DIS 26000 = Guidance on social responsibility; See SAI Global

ISO 31000:2009 = Risk management - Principles and guidelines; See SAI Global

ISO/IEC 31010:2009 = Risk management - Risk assessment techniques; See SAI Global

issues list = a database or paper list of items affecting a project or other work. These may be positive or negative and they represent something which exists, as opposed to a risk, which as not yet happened

ITSEC = Organisation responsible for certifying security products

IT risk = under WGOR Method #1, IT risk (or information technology risk) includes the following elements: Technology investment risk; development and implementation risk; project risk; reliability; continuity; recoverability; availability; performance; confidentiality; controllability / auditability; capacity; infrastructure. Examples of IT risk are: cost / time overruns, definition of business requirements; availability and usage of standards, documentation, user acceptance; manageability, effectiveness, efficiency; correctness, completeness, timeliness; fall back, contingency; criticality; user satisfaction, capacity, integration with systems / processes; logical and physical access controls, privacy, encrypting; logging of activities; ability to perform tasks; compatibility, transparency, upgrading possible.

key stakeholder = See stakeholder

kidnap = to seize and detain unlawfully and usually for ransom. A criminal risk

LCR = loss from credit risk

liability risk = an external event risk

life cycle = the term Development Life Cycle is often used to describe the methodology used to define and document the planning, managing and recording of events and activities that are required for a business product or process from the moment of its inception to the moment it is replaced or abandoned. In IT, the methodology is called system development life cycle (SDLC). In banking, the methodology is called product development life cycle (PDLC). The formal explication of and commitment to these development life cycles is important to risk management because it clearly defines all the processes and allows us to see clearly where risk management routines can make a difference to performance within the company. See also SDLC

likelihood = used as qualitative description of probability and frequency

line of business = under WGOR Method #1, Level 1, there are four lines of business: commercial banking; investment banking; asset management; other.

liquidity risk = a subcategory of market risk. The risk that the company will not have sufficient liquid assets to meet normal operating requirements

local forms & templates = forms and templates designed for use only within the business domain of the person approving them

loss = any negative consequence, financial or otherwise

loss of assets = a criminal risk

loss exposure = a measure of possible loss that could arise from an actual risk. See also maximum potential loss exposure

loss potential = an attempt is made to prioritise items appearing on the risk register by financial or reputation loss potential

major = a qualitative descriptor implying such things as major financial loss, reputation losses, extensive injuries, loss of production capability, company causes disaster with no detrimental effects on society, etc

management committee = a formally appointed group of senior managers, with certain delegated responsibilities

market manipulation = to use one's power over the market for shrewd or devious management, especially for one's own advantage. A criminal risk

market risk = all price and interest rate risks, tied to managing the company's assets and liabilities

market risk model = a model used for defining the response of the company to Market Risk

maximum potential loss exposure = the maximum amount of loss that is possible/likely from an actual risk

migrate risk = to move a risk to another. See also risk transfer

milestone = a scheduled event for which one is held accountable and that is used to measure progress. A milestone is "cognitive", meaning it is an event that people can easily "see", "envision" or will intuitively know they have reached it when they get there. It is therefore something which naturally acts as a goal. A milestone differs from a phase which is a period of time in a project over which it is useful for evaluating effort, i.e. historical and analytic. For example, when the roof is completed this might be an important milestone because it allows people to work out of the sun's rays, but it may be completed at an early part of the construction phase. Another example: "100 runs" is an important milestone but the phase is the "innings". See also phase

minimise risk = to formally adopt a plan to reduce risk to the smallest possible amount, extent, size, or degree

minor = a qualitative descriptor implying such things as medium financial loss, few customers loss, first aid treatment, etc

misappropriation = to set apart for a specific use; to take possession of or make use of exclusively, often without permission, for a purpose other than that stated. A criminal risk

mission = the highest-level statement of objectives. It gives a broad description of the purpose and policy of the organisation. Its purpose is to promote an overall objective that expresses succinctly what purpose the activities of the organisation are working towards in a manner that everyone in the organisation can relate to

mitigate risk = in special circumstances it may be possible to plan things in such a way that, if the event does occur, it will have little or no impact. This is especially relevant to circumstances where risks have arisen because of bad conditions or bad planning

modelling = a formal, logically consistent, integrated set of assumptions, methods, values, measurements and applications whose purpose is to show the full ramifications of analysis employed in risk management decision-making. These models include: (1) Credit Risk Model; (2) Market Risk Model; and (3) Operations Risk Model

moderate = a qualitative descriptor implying such things as high financial loss, many customers loss but no general reputation loss, medical treatment required, etc

money Laundering= to disguise the source or nature (of illegal funds, for example) by channelling through an intermediate agent. A criminal risk

monitoring = to check, supervise, observe critically, or record the progress of an activity, action or system on a regular basis in order to identify change

motivation to change = an event or situation leads the business to develop a new product, process or procedure

MTBF = mean time between failures

MTTR = mean time to repair

natural disaster = a disaster with a natural cause, such as an earthquake, flood, hurricane or typhoon, tornado, tsunami, volcanic eruption, wildfire, landslide or avalanche An external event risk

nomenclature = an agreed naming convention or an agreed set of names

normal distribution = a theoretical frequency distribution for a set of variable data, usually represented by a bell-shaped curve symmetrical about the mean. Also called Gaussian distribution

normalcy = This model assumes normal working conditions, that is, a normal distribution

normative standard = an object that has been agreed (usually by formal internationally acclaimed bodies) to define "correct", or "best", or "recommended" or "required". These may apply to measurement (comparative), definition (absolute), but may also be used to describe process, practice, nomenclature, required magnitude for performance, recommended value for specific result, comparative process, etc. An example of a normative standard is ISO 9000 which dictates the best business practices for improving or guaranteeing "quality". In fact, one could refer to SDLC as adopted by company as a normative standard. Usually in SDLC, when we refer to "standards" we are referring to normative standards, that is to say, standards that are agreed by business or technological experts to be the "best" methods. However, comparative and Absolute Standards do play a role. See also ISO, ITME, ITSEC ISO Standard. See also standards, comparative standard, absolute standard, international standards. For an example of a normative standard see the Risk Department's Policy Manual

NPV = net present value

objective = a general statement about the direction an organisation intends to take in a particular area without stating a specific target to be reached by particular point in time (which are commonly called 'goals'). See also Business Objectives. The mission statement is made achievable by its dissection into clear 'statements of objective' that can be agreed by managerial groups within the company as acceptable and achievable

operational risk = any pure risk; i.e., our exposure to unplanned losses that arises from any non-speculative dealings

operational risk exposure = a numerical risk reading assigned to a qualitative descriptor (or set of descriptors) to assist with a better understanding of the levels of possible and actual risk involved

operational risk model = a model used for defining the response of the company to operational risk

ORE = operational risk exposure

organisation = a company, firm, enterprise or association, or other legal entity or part thereof, whether incorporated or not, public or private, that has its own function(s) and administration

organisation risk = under WGOR Method #1, Organisation Risk includes the following elements: Corporate governance; requirements (organisational set-up); and clarity (tasks and responsibilities). Examples of organisation risk are: authority, adequate information flow, clear reporting lines, overview; segregation of functions, dual control, audit, risk control; and guidelines and procedures, documented, achievable, accountability; other. A line of business under WGOR Method #1, Level 1

output = a. Information taken to a communications system for transmission out a computer system after processing. b. a position, terminal, or station from which output leaves a system. c. the result of a process

outsourcing risk = an external event risk

PCD = Project Concept Document

PDLC = Product Development Life Cycle

PDP = Product Development Plan

peer group = a group of staff members, generally working in the same area or with the same interests or responsibilities and at about the same level, used to informally review the work of another of the group

performance = an IT Risk

personal safety = a criminal risk

phase = a discrete period of time delineated by a major beginning and an ending event and that can be understood as a single concept. There are a number of established phases for planning and control of a project under SDLC. These are planning; analysis; design; package evaluation and selection; configuration and package implementation; testing; implementation; and post implementation review. See also milestone

physical security = a criminal risk

PMP = Project Management Plan

policy = a management directive or statement of intent. Frequently expressed through issuing a standard, a policy manual or a policy statement

policy manual = a document that discusses in detail all issues related to the implementation of a particular policy statement. The purpose of the policy manual is to look at the ramifications of a particular policy statement across all Divisions of the company, and to describe in detail the impact of this policy statement on particular areas of the company's operations. These may be considered as "sub-policies". All sub-policies must be completely consistent the policy statement. (Note: a policy manual often needs to consider "related policies".) The policy manual does not discuss matters at the procedural level or at the level of work instruction, except to make statements of intention, principle or purpose. For an example of a Policy Manual see the Risk Management Policy Manual

policy statement = a statement made by the Board of Directors. All policy and procedures throughout the company are considered to have their origin in one of these statements. A policy statement is often proposed to the Board by management committees or Divisional Managers, but may originate from Board Committees or from the Board themselves. A policy statement is usually kept brief to enable the Board to focus on the issues contained within it, and to completely understand its content, before giving its approval. For an example of a policy statement see operating policies

political risk = an external event risk

possible risk = a list of risks agreed upon to be considered in any risk analysis by company. There are three lists of possible risks: credit, market and operational. See also actual risk

PR = problem report

prevent = in special circumstances it may be possible to reduce the risk by changing the circumstances that give rise to the risk, that is to say, reducing the likelihood or consequence of the event, or both. Usually, however, events are seen as external to the company and therefore prevention is not a viable option

preventive controls = a formal, planned action to deter undesirable events from occurring

priority = the order in which a work will be undertaken

privacy = protection of sensitive information from access by parties without a 'need to know

probability = the likelihood of a specific outcome, measured by the ratio of the total specific outcomes to the total possible outcomes. Probability is often expressed as a number between 0 and 1, with 0 indicating an impossible outcome and 1 indicating an outcome is certain

probability = the extent to which an event is likely to occur ISO/IEC Guide 73

probability of default = grades in credit risk analysis indicating likelihood and willingness to pay: Grades as follows: Good; Special Attention; Sub-standard; Doubtful; and Bad

procedure = a. A set of manual or automated steps or activities required for accomplishing a task. A procedure is a part of a process

procedure = b. A document used to describe things that need to be done. Procedure is regarded as flowing directly from the Policy Statement. Usually, a procedure is authorised by the owner of the (technical or business) process that the procedure describes. Procedural statements are statements made by those in charge of day-to-day management (such as the Management Committee or the Divisional or Departmental Manager) (we call this person the "owner" of the procedure). Often more than one (related) procedural statement is needed to fully describe a process. The key factor dictating where a procedure starts and finishes is the logical sequence or flow of tasks required to complete the procedure. That is to say, a procedure is limited to those tasks that can be understood as a single array. A procedure must also be "owned" by only one "owner". A procedure can assign tasks to a number of different individuals or groups

process = a set of inter-related activities, which transform input into output. A productive process. An operation. A process is usually made up of a number of procedures

process audit = an audit which examines the processes that lead to the end product or service

processing risk = under WGOR Method #1, Processing Risk includes the following elements: procedures; efficiency; effectiveness; working methods; checks and balances; input error; model risk; recording; privacy and confidentiality; internal reporting; external reporting. Examples of processing risk are: documented, up to date, ownership, in line with standards; cost vs. budget; realisation of objectives and goals, satisfaction; authorised, stratification, limit adherence, according to prescribed procedures; timely reconciliation, independent valuations; wrong data, incorrect input, incorrect marked-to-market; inappropriate parameters, incorrect programming, invalid assumptions, mathematical errors; logging; clean desk, chinese walls; present, relevant, error free, actively used by management; regulatory-, financial-, tax reporting

product = Something of value that is the direct outcome of a process within the company

product acquired = a milestone in the SDLC planning process. All products have been acquired under contract and Key Stakeholders have been informed. We are now ready to install

product audit = an audit which examines the end product or service

product development life cycle = processes, activities, and tasks involved in the development, operation, and maintenance of a product, spanning the life of the product, from the definition of its requirements to the removal of the product from the market place

product development plan = product development plans are similar to a project management plan but deal with all the steps that need to be performed to introduce a new product to the marketplace, or make significant changes to an existing product. The marketing action plan is a part of the product development plan, but there are many other changes that need to be performed, such as changes to policy, procedures, accounting systems, technological upgrades and training

product implemented = a milestone in the SDLC planning process. The product is fully implemented and in production

product owner = the owner of the product at company, both market products and internal products, is the person who owns the critical process that gave rise to that particular product

product ownership = Clear delineation of authority and responsibility for "product" which involves the concept of "critical process"

production = a colloquial expression ("in production") meaning "live" or in the "real world" or a working environment in which the output is expected to be "real"

production environment = an environment made up of elements that are all considered to be in production. The production environment has many specific benefits (when testing) but also many specific risks

products register = a document for identifying all the products in the company (both internal and external) and their owners. This is a key document because "Product Ownership" is fundamental to the risk management process. Owned and maintained by the Risk Management Department

professional responsibility =

project = a body of work undertaken in a planned and controlled manner. A project must have been approved for commencement or commissioned, have a defined time frame, require resources, require funds, have a defined duration. A project ceases to be called a project upon implementation of the planned system, application, etc., into a production environment

project concept document = a document prepared to describe a business need requiring solution. It contains sufficient detail to enable management to decide whether to proceed to the preparation of a business case. It has the same format as a business case, with less detail

project concept fully developed = a milestone in SDLC planning. The project concept is fully developed, reviewed and approved and initial sponsor and initial stakeholders have been notified

project costs = a list of all costs, such as equipment, software, time or labour, necessary for the attainment of the stated objectives and goals of the project

project controls in place = a milestone in the SDLC planning process. The project is under way and all the project controls are in place. For example the project sponsor, the project board and the project manager have been appointed, project management systems have been set up and the project review team is in place

project initiation = the initial phase of a project. Its outputs are a project concept document, and a business case

project initiated & reviewed = a milestone in the SDLC planning process. The business case has been prepared and reviewed, and the sponsor and initial stakeholders have been informed. The business case is now ready to go to the financial authority for funding approval

project management = the planning, organising, coordinating, directing and controlling of any project or task with responsibility for results within a specified period of time

project management plan = an essential management document describing the approach that will be taken for a project. The plan typically describes the work to be done, the resources required, the methods to be used, the configuration management and quality assurance procedures to be followed, the schedules to be met, the project organisation, etc. See also risk management project management plan

project management = specialist terms & acronyms

project manager = a senior officer, usually from the Information Technology Division, who manages all the SDLC aspects of a project on a day to day basis. His responsibilities include controlling IT staff resourcing and time requirements for a project, budgets, schedules, IT resource allocation and tasks. He reports regularly to IT management on project issues. The term is also be used for a non-IT project

project risk = an IT Risk

project schedule = an organised set of tasks for which start and finish dates and resources have been assigned. It is prepared using package software from Microsoft

project team = all the personnel assigned to work on a Project full or part time, who are managed by the Project Manager

PSCC = Protective Security Coordination Centre (Attorney-General's Department)

PSM = Protective Security Manual (issued by the Attorney-General's Department)

pure risk = the chance of an unexpected or unplanned loss without the accompanying chance of a gain

QA = quality assurance

QC = quality control

quality = compliant with ISO 9000, ISO 9001, ISO 14000, etc.

quality assurance = all the planned and systematic activities implemented within the organisation, to provide confidence that a product or service will fulfil the user's requirements

qualitative analysis = a method of calculating risk that can be applied to products and processes that is produced/performed at such a high level of generality that it is impossible to assign numeric descriptors. Qualitative Risk Analysis is often subjective and intuitive but nevertheless has been found to be an effective method for calculating risk, because it allows us to use the manager's experience to evaluate both likelihood and consequence without getting bogged down in questions of numerical relevance and model integrity

quality audit = an audit involving the planned and systematic examination of systems, processes, procedures and products to ensure documented methods are being applied, specifications are being met and that records are being maintained to provide objective evidence of conformance

quality control = product oriented measures that ensure outputs are consistently in accordance with specifications

quantitative analysis = Uses numerical values for both likelihood and consequences using data from a variety of sources. The quality of the analysis depends on the accuracy and completeness of the numerical values used

RA (pronounced letter by letter) = Risk Analysis

RAA (pronounced letter by letter) = Risk Avoidance Analysis

recovery = restoring the system to a proper state, including recovery of data. It could involve: reconstruction of the database, so that it is restored to its pre-failure condition; restoration of the communication network or portion thereof with reconnection of the users active at the time of failure; proper restarting or other handling of transactions that were in process at the time of failure; and appropriate restarting of the software components

recoverability = an IT Risk

regulatory risk =

reliability = an IT Risk

request for information = an RFI is a document issued by the company to elicit information from the marketplace on what is available in a specific area of interest, to find out the latest developments in technology, to discover industry capability. It may be used to assist in formulating a business case in response to a perceived need in the Business. An RFI should avoid any suggestion that an immediate acquisition is intended from any supplier and it should make it quite clear that the company may or may not proceed on the basis of the information provided

request for proposal = a document issued to the marketplace requesting vendors to provide costs and details of their capability and willingness to provide systems, software, products and services, required by the company to meet a business need. An RFP is normally used to elicit proposals from vendors where the business need is clear, but the marketplace capability, availability and solution and approach alternatives are not known

request for quote = a document issued to the marketplace requesting vendors to provide costs and details of their capability and willingness to provide systems, software, products and services, required by the company to meet a business need. An RFQ is normally used for the simple supply of hardware items or shrink-wrap software. It may be used for training courses and symposiums and for any other instance where price alone will be the deciding factor. An RFQ is an extremely simplified type of request. For non-project purchases an RFQ may precede a direct purchase using Form 1

request for tender = a document issued to the marketplace requesting vendors to provide costs and details of their capability and willingness to provide systems, software, products and services, required by the company to meet a business need. An RFT is normally used for large acquisitions where the requirement is clear and the marketplace capability is known. The company is sure of the preferred solution and the approach it wants taken and is asking for detailed estimates of cost, technology and timeframes. An RFT will normally contain sections addressing contractual issues, RFT response requirements, technical specifications and a statement of work

requirement = a condition or capability that must be met by a system to satisfy a contract, standard, specification, etc

requirements (organisational set-up) = an organisation risk

residual risk = risk remaining after implementation of risk treatment HB 436:2004

residual risk = the remaining levels of risk after risk mitigation measures have been taken

response (treatment) = the owner develops a response that will eliminate, mitigate or transfer his risks and includes the response as part of his plans. There are five possible responses to an actual risk: prevent; mitigate; avoid; transfer; accept/retain

response times =

responsibility = a duty, an obligation, or a burden placed upon an individual or group within the company by someone of higher authority and involves the implied ability to act without guidance or further authority and the acceptance of personal accountability for the outcome

retain (accept)= after risks have been reduced or transferred, there may be residual risks that are accepted or retained, meaning to do nothing and "accept the risk"

RFI = Request For Information

RFP = Request for Proposal

RFQ = Request For Quote

RFT = Request for Tender

risk = some event that has a chance of happening and that, if it happens, will have an impact upon objectives and goals. It is measured in terms of consequences and likelihood (probability)

risk acceptance = an informed decision to accept the likelihood and the consequences of a particular risk

risk analysis = a systematic use of available information to determine how often and when specified events may occur and the magnitude of their likely consequences. A formal process which seeks to separate (a) minor acceptable risks from (b) major risks, and to provide data to assist in the assessment and treatment of risks

risk assessment = the overall process of risk identification, risk analysis and risk evaluation AS/NZS 4360:2004; See AS/NZS ISO 31000:2009

risk assessment = comparing the level of risk found during the analysis process with previously established risk criteria, producing a "measurement" or "level" of risk and deciding on an appropriate "response". The output of a risk assessment is a prioritised list of risks for further action

risk assessment report = a document for recording the process of risk assessment related to particular events and to assist in measuring the level of actual risk. This report is included in other management documents such as project concept document, business case, project management plan, product development plan, acquisition plans within the PMP, change management, etc. Prepared by the manager responsible for preparing the management document to which this risk assessment is to be attached. The Risk Management Department may provide technical assistance in the preparation of this document but it always remains the document of the originator

risk avoidance = an informed decision not to become involved in a risk

risk category = risks generally fall within one of two risk categories (or types): (a) speculative risk and (b) pure risk. risk control = that part of risk management which involves the provision of policies, standards and procedures to eliminate, avoid or minimise risks facing an enterprise

risk domain = risks are managed within a number of formal declared domains: such as credit risk; market risk; operational risk; etc

risk exposure = a hazard. A source of potential harm or a situation with a potential to cause loss

rsk financing = the methods applied to fund risk treatment and the financial consequence of risk. Note: in some industries risk financing only relates to funding the financial consequences of risk

risk identification = the process of determining what can happen, why and how. A formal process of identifying the risks to be managed. Comprehensive identification using a well-structured systematic process is critical, because any potential risk not identified at this stage is likely to be excluded from further analysis. Identification will include all risks whether or not they are under the control of the company

risk management = (1) the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk

risk management = (2) the logical and systematic method of identifying, analysing, assessing, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable company to build shareholder value over the long term. Risk management is as much about identifying opportunities as avoiding or mitigating losses

risk management project management plan = Some risk treatments require a Project themselves, independent of any other project, especially decisions to avoid risks by making significant changes to the working environment

risk migration = See migrate risk

risk minimization = See minimise risk

risk mitigation = the actions taken to remove the probability of a risk eventuating or of negating its effects if it eventuates. See mitigate risk

risk preview model = adopts a simplified set of descriptors, making input easy to understand and making the output simple and straightforward. These descriptors are the same for both likelihood and consequence and are therefore much more highly subjective than those implied in the operational risk model, requiring only a "gut reaction" from project managers

risk reduction = a selective application of appropriate of appropriate techniques and management principles to reduce either likelihood of an occurrence or its consequences, or both

risk register = a document for identifying all actual risks in the company (and thereby documenting the process of eliminating Potential Risks from this list so that this elimination is not performed over and over again unnecessarily). Owned and maintained by the owner/sponsor who considers industry experience to develop a list of operational, credit, market and project risks

risk retention = intentionally or unintentionally retaining the responsibility for loss, or financial burden of loss within the organisation

risk response = See response

risk transfer = shifting the responsibility or burden for loss to another party legislation, contract, insurance or other means. Risk transfer can also refer to a physical risk or part thereof elsewhere. See migrate

risk treatment = selection and implementation of appropriate options for dealing with risk. See mitigation

risk treatment action plan and schedule = certain risk treatments are permanent features of business and not just treatment projects. These need action plans and schedules, etc

risk treatment compliance declaration = certain risk treatments require a declaration on behalf of the product owner that risks have been mitigated in order to allow other events to take place

risk treatment compliance certificate = certain risk treatments need certification by persons other than the product owner (and periodic re-certification as part of the monitoring process)

risk type = See risk category

robbery = the act or an instance of unlawfully taking the property of another by the use of violence or intimidation. A criminal risk. See also theft

rogue trading = to trade in an unprincipled, deceitful, and/or unreliable fashion in order to deceive. A criminal risk

rollout response = the owner/sponsor carries-out his plan and, in so doing, and implements his risk response

routine problem = a fix which is not an emergency and can be either: Fix immediately - workaround possible until fixed Fix as soon as possible - to be included in the next release Fix as scheduled - by the Business and Maintenance Group

safety management system (SMS) = a formal system agreed by the regulator to continually identify hazards, analyse risks, and evaluate and treat risks under such regulatory requirements as Australian Airservices Act or international standards required by International Civil Aviation Organization (ICAO) or national standards as required by departments such as the Ministry of Transport resulting in an integrated set of work practices for ameliorating risk

scenario-build = models describing probable or likely scenarios for end-user testing

schedule = See project schedule

SDLC = system development life cycle

security = the protection of information and data so that unauthorised persons or systems are denied access or the ability to read or modify them while authorised persons or systems are allowed access. Also: The protection of computer hardware and software from accidental or malicious access, use, modification, destruction or disclosure. Note: The definition of Security can vary according to context

service level agreement = a legal agreement between the supplier of a service and the customer setting out in clear terms the expected levels of service and what is to occur if those levels of service are not met. See also Internal Service Level Agreement

sexual harassment = unwanted and offensive sexual advances or sexually derogatory or discriminatory remarks made by one in power to an employee. A criminal risk

simplified qualitative risk analysis = See risk preview model

SLA = Service Level Agreement

SMS = safety management system

SOX (pronounced letter by letter) = Sarbanes-Oxley compliance, corporate auditing requirements

specific reserves = a specific capital charge against of the borrower's probability of default determined during the quarterly review of all accounts in grades 4 and 5. A minimum specific charge applies to all such accounts

speculative risk = any chance where both gain and loss is possible

stakeholder = a key person in the company who has a recognized stake in the achievement of a particular business case or of its outcomes

standard deviation = a statistic used as a measure of the dispersion or variation in a distribution, equal to the square root of the arithmetic mean of the squares of the deviations from the arithmetic mean

standards = generally, a degree or level of requirement, excellence, or attainment. The word "standard" has come to mean three key main concepts: comparative standard; absolute standard; normative standard. See also international standards

strategic plan = a proposed change to any major business objectives and goals will require a strategic plan. This will include : approach that will be taken for a project; technology to be used; work to be done; resources required; dependencies; methods to be used; configuration management and quality assurance procedures to be followed; schedules to be met; organisation of the project; risks and issues

structure = the manner in which a complex whole is divided into parts and the relations between those parts

supplier = an organisation that enters into contract with the acquirer for the supply of a product. The supplier is synonymous with contractor, producer, seller, or vendor. The acquirer may designate a part of its organisation as supplier

supplier risk = an external event risk

system = an arrangement, a set, or a collection of concepts, parts, activities, and/or people that are connected or interrelated to achieve particular objectives and goals. This definition applies to both manual and automated systems. A system may also be a collection of systems (sub-systems) operating together for common objectives and goals

system development life cycle = processes, activities, and tasks involved in the development, operation, and maintenance of a software product, spanning the life of the system, from the definition of its requirements to the termination of its use

system performance test scripts = for all changes to system or applications

task = a small specified workload to be performed by people according to known standards within a relatively controlled period of time. A task is the lowest level of breakdown in a work breakdown structure (The complete breakdown is - project, phase, activity, task)

technology investment risk = an IT Risk

template = a guide in making something accurately, (comes from the name given to a tool used to accurately reproduce a product in manufacturing or in woodworking). A template is often a document or a report written in final form with spaces for particular information or inserted temporary notes containing instructions that will be followed in the completion of the document

terrorism = the unlawful use or threatened use of force or violence by a person or an organised group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons. A criminal risk

test case = a case with a set of real and likely data where the result is known beforehand for testing a system against requirements following creation or change

test cycles = unit test, system (end-to-end) test, regression testing, system integration testing, user acceptance testing

test scripts = formal written scripts for test cycles

theft = the act or an instance of stealing; larceny, without the use of violence or intimidation. A criminal risk. See also robbery

transfer = reduce the risk by causing another party to bear or share some part or all of the risk because of an existing contract or relationship. Transfer the risk or the residual risk by agreeing to pay a premium now in return for the insurer accepting the risk

treatment (response) = the owner develops a response that will eliminate, mitigate or transfer his risks and includes the response as part of his plans. There are five possible responses to an actual risk: prevent; mitigate; avoid; transfer; accept/retain

TISN = Trusted Information Sharing Network (for Critical Infrastructure Protection)

UAM = user authentication methodology (the basis of user access to a secure environment)

UAM = user acceptance methodology (the basis of UAT)

UAT = user acceptance testing

user acceptance = a formal process for involving the user in the sign off of a new system. For an in-house developed system it involves early statement of user requirements, a sign off of the functional plan by the user, and the sign off by the user following user acceptance testing against the original requirements. For a purchased system it involves a user requirements statement and a gap analysis.

user acceptance testing (UAT) = the final testing stages by users of a new or changed system. The system is tested for stability and whether it is processing data according to requirements. If successful, it signals the approval by the user to implement the system live.

user access = the key to access for the user of a secure environment; usually involves some formal UAM

use case = a formal methodology for defining system requirements; a scenario; software developers and end users cooperate to define how the system will need to interact with the world, such as with an end user or another system, to achieve a specific business goal

user guide = a document written by a technical writer to give assistance to people using the system.

user manual = user guide

user requirements = practical outcomes that will impact the user that are the reason for the development of a new system or for enhancements and modifications to an existing system

user requirements documentation = a business or strategic plan containing all user requirements and the reason for their inclusion

user requirements specification = a formal list of all user requirements contained within the user requirements documentation written in a form that allows validation that changes meet user requirements

validity check = the process of analysing data to determine whether it conforms to predetermined parameters of completeness and consistency

value = See market product value and internal product value

value at risk = the measurement of likely losses, expressed in SAR. The "appetite" for losses. This model adopts the strategy of representing every actual risk with a calculation of "value at risk"

vandalism = wilful or malicious destruction of company property. A criminal risk

VaR = value at risk

verify = the process of determining whether or not the products of a given phase of the SDLC fulfil the requirements established during the previous phase

volatility = tending to vary often or widely, as in price: the ups and downs of volatile stocks. By mapping actual results against normal distribution there is a measure of volatility or value at risk

WGOR = Working Group for Operational Risk

What-if Analysis = the owner/sponsor considers industry experience to form an opinion as to how his operating environment will be altered during and after the project

work instruction = a work instruction is a document that assigns particular tasks (mentioned or implied in a procedure) to a particular individual or group. It is intended that this set of instructions can be followed precisely by this individual or group and contain enough information to allow the completion of their particular part of the procedure in a timely and efficient manner

write offs = credit facilities that are considered un-collectable, and for which all means of recovery have been exhausted, are represented by a credit risk capital charge of 100%, called a "write off"